Appendix C: Configure WSUS for Network Load Balancing

Network load balancing (NLB) is a strategy that can keep networks running even if one (or more) servers go offline. It can be used in conjunction with WSUS, but requires special steps at setup time.

You should set up WSUS for NLB after configuring your SQL Server 2005 database as a failover cluster. For more information about how to set up SQL Server 2005 as a failover cluster, see How to: Create a New SQL Server 2005 Failover Cluster at http://go.microsoft.com/fwlink/?LinkId=76490. However, you should set up WSUS before configuring the NLB cluster. For more information about how to set up an NLB cluster, see Network Load Balancing Clusters at http://go.microsoft.com/fwlink/?LinkId=76491.

Note

None of the servers taking part in the cluster should be a front-end domain controller.

Important

The maximum number of front-end WSUS servers per database instance is four.

When you have finished this step, you will have the back-end SQL machine set up, as well as one of the front-end WSUS server machines. In the next step you will set up the other front-end WSUS servers.

You should create a single file location that is available to all the front-end WSUS servers. Even if you do not store updates locally, you will need a location for End User License Agreement files. You may wish to do so by storing them on a Distributed File System share.

Note

It is not necessary to use a DFS share with an NLB cluster. You can use a standard network share, and you can ensure redundancy by storing updates on a RAID controller.

This step explains how to set up DFS on one of the servers in your cluster on a Windows Server 2003 server.

Go to Start, point at All Programs, point at Administrative Tools, and click Distributed File System.

You will see the Distributed File System management console. Right-click the Distributed File System node in the left pane and click New Root in the shortcut menu.

You will see the New Root Wizard. Click Next.

In the Root Type screen, select Stand-alone root as the type of root, and click Next.

In the Host Server screen, type the name of the host server for the DFS root or search for it with Browse, and then click Next.

In the Root Name screen, type the name of the DFS root, and then click Next.

In the Root Share screen, select the folder that will serve as the share, or create a new one. Click Next.

In the last screen of the wizard, review your selections before clicking Finish.

You will see an error message if the Distributed File System service has not yet been started on the server. You can start it at this time.

Make sure that the domain account of each of the front-end WSUS servers has change permissions on the root folder of this share. That is, if there is a WSUS server installed locally on the computer that has the DFS share, the Network Service account should have change permissions on the root folder. In addition, the user account of the administrator who will run the movecontent command (in Step 5) should also have change permissions. For each of the remote WSUS servers, the domain/computer account (where domain is the name of the domain and computer is the name of the computer) should have change permissions on the root folder of the share.

After you install a WSUS update, verify the NTFS permissions on the WSUSContent folder. The NTFS permissions on the WSUSContent folder may be reset to the default values by the installer.

Note

For more information about setting permissions on DFS shares, see KB 308568, "How To Set File Permissions for Shares in DFS Replica Sets to Apply to All Replicas" (http://go.microsoft.com/fwlink/?LinkId=86550).

Now it is possible to move the content directories on the first front-end WSUS server to the DFS share. This is the first WSUS front-end server you set up in Step 1. You will not have to move the local content directory on the front-end servers you set up in Step 2.

Click Start, then Control Panel, Network Connections, Local Area Connection, and click Properties.

Under This connection uses the following items, you may see an entry for Network Load Balancing. If you do not, click Install, then (on the Select Network Component Type screen) select Service, then click Add, then (on the Select Network Service screen) select Network Load Balancing, then OK.

On the Local Area Connection Properties screen, select Network Load Balancing, and then click OK.

On the Local Area Connection Properties screen, select Network Load Balancing, and then click Properties.

On the Cluster Parameters tab, fill in the relevant information (the virtual IP address to be shared among the front end computers, and the subnet mask). Under Cluster operation mode, select Unicast.

On the Host Parameters tab, make sure that the unique host identifier is different for each member of the cluster.

On the Port Rules tab, make sure that there is a port rule specifying single affinity (the default). (Affinity is the term used to define how client requests are to be directed. Single affinity means that requests from the same client will always be directed to the same cluster host.)

You should first make sure that at least one of the WSUS front-end servers can perform an initial synchronization. If the synchronization is successful, continue to the next step. Otherwise, review the WSUS setup and NLB cluster setup.

Instructions for configuring WSUS client machines are given in Update and Configure the Automatic Updates Client. However, in the case of WSUS on NLB clusters, you should specify the virtual address of the NLB cluster rather than one of the individual servers. For example, if you are setting up your clients with a Group Policy object or Local Group Policy object, the setting for the Specify intranet Microsoft update service location setting should be the virtual Web address.

Important

If you are using a DFS share, be careful when uninstalling WSUS from one but not all of the front-end servers. If you allow the WSUS content directory to be deleted, this will affect all the WSUS front-end servers.

Shut down the NLB service. At the command prompt type nlb.exe suspend.

Shut down IIS and the WSUS service. At the command prompt type iisreset/stop and then net stop wsusservice.

Ensure no other services are able to access the database during the upgrade window. At the command prompt type nlb.exe disable.

Back up your database.

On your machine hosting the database, click Start, and then click Run.

In the Open box, type %systemdrive%\%windir%\system32\ntbackup.exe and then click OK.

In the Backup or Restore Wizard, click Next.

Verify that Backup files and settings is selected, and then click Next.

Click Let me choose what to back up, and then click Next.

Under the location where your database files are stored, click the Data and LOG folders, and then click Next.

Use the Browse button to choose a place to save your backup, type a name for the backup, and then click Next.

If you want to set additional specifications for your backup, including whether it will be an incremental backup and whether you want to verify the backup, set a recurring schedule for the backup, or other options, click Advanced, and then follow the prompts that appear in the wizard.

When the wizard is finished, click Finish.

When the message appears that informs you that the backup is complete, click Close.

Upgrade each frontend machine individually.

Set up WSUS. At the command prompt type Wsussetup.exe/q/g.

Review the setup log to verify the upgrade was successful. At the command prompt type Wsussetup.log

Ensure that IIS and the WSUS service are stopped. At the command prompt type iisreset/stop and then net stop wsusservice.

Proceed to the next machine.

Start IIS and the WSUS service. Click the Start button, point to Administrative tools, click Services, and then click the service you want to start.